locked
TCP ports client side RRS feed

  • Question

  • Hello.

    In my network infrastructure  I have a WSUS server and some clients.

    Due to traffic restrictions, some clients cannot reach the WSUS because the "handshake" packets (i.e. the ones using "random" ports) are filtered. Using a LAN packet analyzer I observed the tentatives of these clients to contact WSUS server on a nice range of ports: 49647, 46648, 49649, 49651, 55059 and so on.

    On the others clients I haven't any problem because I can avoid to apply any filter.

    My question is:

    may I configure the clients (WK8R2) in order to use some specific port to establish contact with WSUS server?

    Thank you for your attention


    Monday, July 7, 2014 11:38 AM

Answers

  • Hi,

    as with most tcp connetcions, the source port is random. It is the destination port that really matters.

    Not that WSUS is completely http/https based and has configurable listening ports.

    http://technet.microsoft.com/en-us/library/bb693717.aspx

    By default, a WSUS server that is configured for the default Web site uses port 80 for HTTP and port 443 for HTTPS. By default, the WSUS server uses port 8530 for HTTP and port 8531 for HTTPS if it is using the WSUS custom Web site.


    MCP/MCSA/MCTS/MCITP

    Monday, July 7, 2014 12:39 PM
  • Did you try the rpc lockdown?

    //jesper

    Wednesday, July 9, 2014 6:44 PM

All replies

  • Thats probably the source port you are talking about.

    I don't know if it applies to wsus, but maybe you can limit rpc ports used by clients. The destination port is normally 80 or 8035

    http://blogs.technet.com/b/dpm/archive/2011/06/28/how-to-limit-dynamic-rpc-ports-used-by-dpm-and-protected-servers.aspx

    \

    best regards

    jesper vindum, denmark

    Monday, July 7, 2014 12:29 PM
  • Hi,

    as with most tcp connetcions, the source port is random. It is the destination port that really matters.

    Not that WSUS is completely http/https based and has configurable listening ports.

    http://technet.microsoft.com/en-us/library/bb693717.aspx

    By default, a WSUS server that is configured for the default Web site uses port 80 for HTTP and port 443 for HTTPS. By default, the WSUS server uses port 8530 for HTTP and port 8531 for HTTPS if it is using the WSUS custom Web site.


    MCP/MCSA/MCTS/MCITP

    Monday, July 7, 2014 12:39 PM
  • First of all, thank you for the answers, but I wasn't clear explaining my problem.

    I know that WSUS server communicates on ports 80 or 8531, for http or https. I have to focus on clients, who start the connection using a random port. My question is if it is possible to restrict the range for the randomic choice of the clients (just like I did some time ago for another matter, about FTPS connections).

    As I have a firewall who filters almost all the ports, the source port really matter in my situation, because traffic from the clients doesn't reach WSUS.

    Thank you for your attention

    Wednesday, July 9, 2014 4:38 PM
  • Did you try the rpc lockdown?

    //jesper

    Wednesday, July 9, 2014 6:44 PM